Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How can password_verify validate passwords without knowing salt and cost?

The function password_verify() in the new PHP password API checks if the password corresponds to the hash. The hash is generated by password_hash(), that by default uses a random salt and a cost = 10.

I always thought (although I never studied it) that you have to store the salt inside the database and then when you want to verify the password, hash it with the given salt using the same cost. How can password_verify() check the password without knowing salt and cost?

like image 563
Marco Sulla Avatar asked Jun 01 '13 17:06

Marco Sulla


People also ask

How does password_ verify work?

The password_verify() function is used to match the hash password with the original password. Another function, password_hash() is used to generate the hash value based on the hashing algorithm, cost, and salt value. The password_verify() function contains all hashing information to verify the hash with the password.

What does password_ verify do in PHP?

The password_verify() function can verify that given hash matches the given password. Note that the password_hash() function can return the algorithm, cost, and salt as part of a returned hash. Therefore, all information that needs to verify a hash that includes in it.

How to match hash password in PHP?

To verify the hashed password: PHP provides an inbuilt function called password_verify to match the hashed password to the original passwords. Parameters: $password: The password that we have hashed using a hashing algorithm. $hash: The hashed password that we are going to verify with the original password.

How to hash password in PHP mysql?

You first hash the password by doing this: $hashed_password = password_hash($password, PASSWORD_DEFAULT); Then see the output: var_dump($hashed_password);


1 Answers

The string returned by password_hash() contains not only the hash, but also the algorithm, cost and salt.

like image 84
Niels B. Avatar answered Oct 21 '22 17:10

Niels B.